Example 42: Tip of the Week 39 – Secure data management with multiple eyaml keys

综合技术 2017-09-25

With improved security implementations it is often required that keys must be separate among different infrastructure stages. This means that we have to deal with multiple eyaml keys for production-stage and ci- and development-stage.

Nobody may have the private production key. Everybody should have access to the production public key (which is used for encryption). All other keys can be made available to everybody.

First let’s set some top scope variable by analysing facts:

# Set top scope variables
# eyaml key selection based on existence of an external fact:
#  'eyaml_private_base_path'
# when fact is set, then we run on spec tests keys
# otherwise we use production keys
if has_key($::facts, 'eyaml_private_base_path') {
  $eyaml_selector = 'development'
} else {
  $eyaml_private_base_path = '/etc/puppetlabs/puppet/eyaml'
  $eyaml_selector = 'production'
}

Now let’s adopt our hiera yaml:

---
version: 5
defaults:
  datadir: data

hierarchy:
  - name: "Data"
    lookup_key: eyaml_lookup_key
    paths:
      - "hosts/%{::trusted.certname}.yaml"
      - "hosts/%{::trusted.certname}_secrets_%{::eyaml_selector}.yaml"
      - "role/%{::role}/%{::env}.yaml"
      - "role/%{::role}/%{::env}_secrets_%{::eyaml_selector}.yaml"
      - "role/%{::role}.yaml"
      - "role/%{::role}_secrets_%{::eyaml_selector}.yaml"
      - "zone/%{::zone}.yaml"
      - "zone/%{::zone}_secrets_%{::eyaml_selector}.yaml"
      - "common_secrets_%{::eyaml_selector}.yaml"
      - common.yaml
    options:
      pkcs7_private_key: "%{::eyaml_private_base_path}/private_key.pkcs7_%{::eyaml_selector}.pem"
      pkcs7_public_key: "/etc/puppetlabs/code/environments/%{::environment}/eyaml/keys/public_key.pkcs7_%{::eyaml_selector}.pem"

This will lead to a quite complex hierarchy, with the benefit of separating encryptions done with different keys.

All *_secrets_production.yaml files contain secrets encrypted with the production key. All *_secrets_development.yaml files contain secrets encrypted with the development key.

On the other hand it is easy to find missing encrypted production keys by comparing the hiera data keys in both yaml files.

Martin Alfke

您可能感兴趣的

使用 yaml+groovy 实现 Java 代码可配置化 背景与目标 在 使用函数接口和枚举实现配置式编程(Java与Scala实现) ,使用了函数接口和枚举实现了配置式编程。读者可先阅读此文,再来阅读本文。 有时,需要将一些业务逻辑,使用配置化的方式抽离出来,供业务专家或外部人员来编辑和修改。这样,就需要将一些代码用脚本的方式实现。在...
Kubectl Cheatsheet Kubctl 命令是操作 kubernetes 集群的最直接和最 skillful 的途径,这个60多MB大小的二进制文件,到底有啥能耐呢?本文是对官方文档的中文翻译,原文地址: https://kubernetes.io/docs/user-guide/kubectl-cheatsheet...
当数据保护遭遇多云时代 面对数据资源分布日益广泛,数据泄露事件频发的现状,越来越多的企业意识到信息共享和保护的重要性。然而,在共享信息的同时,数据的安全性和隐私同样面临着风险。因此,如何在数据共享时代确保数据被妥善保护,是所有企业和用户关注的方向,同样也是数据管理厂商未来要做的内容。 近日,多云数据管理解决方案...
Fast and Effective Db2 for z/OS Test Data Manageme... Perhaps the most significant requirement for coding successful Db2 application programs is having a reasonable set of test data to use dur...
从DAMA出发,一个指标库到底是如何炼成的?... 文 | 傅一平 原文自:微信公众号 与数据同行 在数据管理领域,我们通常将数据分为:主数据、交易数据、参考数据、元数据和统计分析数据(指标), 指标是BI里面核心的概念,是一个企业数据运营关注的核心数据,一般以KPI和报表的形式体现。 从实践来看,一个企业要进行数据治理,...